- From: Ranjiva Prasad via GitHub <sysbot+gh@w3.org>
- Date: Tue, 16 May 2023 15:49:41 +0000
- To: public-webauthn@w3.org
ranjivaprasadvisa has just created a new issue for https://github.com/w3c/webauthn: == Add Changed Flag to UVM Entry == The UVM extension returns up to 3 user verification methods in the authenticatorData object within both the authenticator attestation and assertion. $$extensionOutput //= ( uvm: [ 1*3 uvmEntry ], ) uvmEntry = [ userVerificationMethod: uint .size 4, keyProtectionType: uint .size 2, matcherProtectionType: uint .size 2 ] The UVM provides RPs with additional data to fine tune their response when granting access to an account / resource. However there are devices that support multiple biometrics and so it is perfectly possible for a biometric UVM to change between credential creation - WebAuthn create() and credential usage – WebAuthn get(). For example, a user could add a second biometric to the device after creating a credential with an RP and then subsequently use that biometric when authenticating. Indeed, the second biometric could belong to another individual if it is a shared device. Some RPs would like to know whether the biometric changed between generation of the credential and its subsequent usage i.e., did it change between generation of the attestation and then generation of the assertion. The current UVM entry only describes the type of the UVM i.e., USER_VERIFY_FINGERPRINT. To cater for these cases the uvmEntry object should contain an optional changed flag. The flag will only be populated for the authenticatorData object returned in the assertion. If it is populated and it is set to 1, it will signify a change in the “value” of that UVM type between generation of the attestation and generation of the assertion i.e. a different fingerprint or face (shared device) was used to perform the subsequent authentication, compared to that used to generate the credential. The same could also be true if the passcode / pattern changed between credential generation and subsequent usage. If it is set to 0, it will signify that the UVM “value” did not change between generation of the attestation and the assertion i.e. the same fingerprint / face / pattern / passcode was used to perform authentication, as was used to generate the credential. Returning whether the UVM “value” changed is a zero knowledge proof and preserves privacy. The RP knows that it changed but does not know what it changed to. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1890 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 16 May 2023 15:49:43 UTC